b' DOE/IG-0568\n\n\n\n\n                              REMOTE ACCESS TO UNCLASSIFIED\n          AUDIT                   INFORMATION SYSTEMS\n         REPORT\n\n\n\n\n                                          SEPTEMBER 2002\n\n\n\n\n U.S. DEPARTMENT OF ENERGY\nOFFICE OF INSPECTOR GENERAL\n  OFFICE OF AUDIT SERVICES\n\x0c                   U. S. DEPARTMENT OF ENERGY\n                         Washington, DC 20585\n\n                           September 13, 2002\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                     Gregory H. Friedman (Signed)\n                          Inspector General\n\nSUBJECT:                  INFORMATION: Audit Report on "Remote Access to Unclassified\n                          Information Systems"\n\nBACKGROUND\n\nLike most private sector and government organizations, the Department of Energy has an\naggressive program to provide its Federal and contractor personnel with the ability to remotely\naccess a number of unclassified information systems. Such access allows travelers,\ntelecommuters and those who occasionally work off-site to more easily perform business-\nrelated functions from remote locations. Personnel are able, for example, to retrieve electronic\nmail, access business or other operational systems and administer systems or networks by\nusing government or privately-owned computer equipment. Generally, remote access to the\nDepartment\'s networks is achieved through dial-in modems or through internet connections.\n\nWhile the benefits of such access are clear, there is a corresponding increase in certain inherent\nrisks, most importantly, the potential for unauthorized access to the Department\'s information\nsystems. Based on several recent investigative cases relating to attempts to intrude into the\nDepartment\'s systems, we initiated this audit designed to assess the Department\'s performance\nin managing the risk associated with remote access to unclassified information systems.\n\nRESULTS OF AUDIT\n\nThe majority of the offices we reviewed had not adequately protected information systems\nfrom unauthorized remote access. Although we found several offices which had implemented\neffective risk-mitigation strategies, of the 13 organizations included in our review:\n\n   \xe2\x80\xa2   Ten had not considered the risk associated with remote access when developing cyber\n       security protection plans;\n   \xe2\x80\xa2   Nine had not developed specific guidance addressing remote access security\n       requirements; and,\n   \xe2\x80\xa2   Nine had not required the use of protective measures such as personal firewalls, and\n       up-to-date virus protection and systems software when accessing network resources.\n\nInadequate protective measures over remote access placed the Department\'s critical\nunclassified information systems at risk of data tampering, fraud, disruptions in critical\noperations, and inappropriate disclosure of sensitive or Privacy Act information. We\n\x0c                                              -2-\n\n\nconcluded that the Department needs to better enforce requirements for risk assessments,\nprovide additional guidance for security implementation and evaluation, and establish\nperformance measures related to remote access risk mitigation. The report includes\nrecommendations to implement these actions.\n\nIn our Special Report on Management Challenges at the Department of Energy, (DOE/IG-\n0538, December 2001), we concluded that security of cyber assets is one of the most\nsignificant challenges facing the Department. Systematic development and implementation of\ncomputer security is essential to mitigating the risk of compromise to the Department\'s critical\ninformation technology resources.\n\nSpecific information regarding programs and sites reviewed has been omitted from this report\nbecause of security concerns. Cognizant officials were provided information on specific\nvulnerabilities identified during our audit fieldwork.\n\nMANAGEMENT REACTION\n\nManagement agreed with our recommendations and indicated that certain corrective actions\nwere in process or had been completed. In response to our report, management pledged to\nimplement a new security directive, implementing guidance and to improve security planning.\nAlso, management stated that direction had been given to specifically address remote access\nsecurity during the self-assessment process.\n\n\nAttachment\n\ncc: Chief of Staff\n    Under Secretary for Energy, Science and Environment\n    Acting Administrator, National Nuclear Security Administration\n    Assistant Secretary for Environmental Management\n    Assistant Secretary for Fossil Energy\n    Director, Office of Science\n    Director, Office of Security\n    Director, Office of Management, Budget and Evaluation/Chief Financial Officer\n    Administrator, Energy Information Administration\n    Chief Information Officer\n\x0cREMOTE ACCESS TO UNCLASSIFIED INFORMATION SYSTEMS\n\nTABLE OF\nCONTENTS\n\n\n\n               Overview\n\n               Introduction and Objective .................................................................... 1\n\n               Conclusions and Observations .............................................................. 1\n\n\n               Remote Access Related Performance Issues\n\n               Details of Finding .................................................................................. 3\n\n               Recommendations and Comments ........................................................ 6\n\n\n               Appendices\n\n               Scope and Methodology ........................................................................ 8\n\n               Prior Reports ......................................................................................... 9\n\n               Management Comments ...................................................................... 11\n\x0cOverview\n\nINTRODUCTION AND   In today\'s environment, rapid advances in information technology are\nOBJECTIVE          credited with generating tremendous benefits as well as creating\n                   significant and unprecedented risk to government operations. As a\n                   result, computer security has become a critical element at all levels of\n                   government.\n\n                   To facilitate business operations, the Department of Energy\n                   (Department) and its contractors provide employees the ability to\n                   remotely access a number of unclassified information systems. Such\n                   access offers travelers, telecommuters, and those who occasionally\n                   work off-site or at home the convenience and ability to perform\n                   business-related functions from a remote location. Personnel are able to\n                   retrieve electronic mail, access business or other operational systems, or\n                   administer systems or networks by using government or privately-\n                   owned computing equipment. Remote access to the Department\'s\n                   networks is achieved through various methods such as dial-in modems,\n                   commercial high-speed Internet services, and other Internet procedures.\n\n                   As more organizations permit remote access to their networks,\n                   complexities associated with protecting information systems increase\n                   exponentially. Because the Department\'s unclassified network is\n                   logically connected to a common wide area network and linked to\n                   Headquarters and virtually all organizations in the complex, the\n                   potential for harm from a single system compromise is significant.\n\n                   We initiated this audit to assess the Department\'s performance in\n                   managing the risk associated with remote access of unclassified\n                   information systems.\n\n\nCONCLUSIONS AND    While certain organizations had implemented protective measures, the\nOBSERVATIONS       Department\'s performance in mitigating the risk associated with remote\n                   access to unclassified information systems was not adequate. Programs\n                   or sites we reviewed had not (1) considered the risk associated with\n                   remote access when preparing security plans, (2) developed specific\n                   guidance for remote access security, and (3) required protective\n                   measures such as personal firewalls and virus protection software.\n\n                   Federal and Departmental directives require organizations to\n                   continually assess the risk to computer systems and maintain security\n                   commensurate with that risk. Despite these requirements,\n                   vulnerabilities existed because Departmental organizations had not\n                   focused sufficient attention on the risk of harm associated with remote\n\n\nPage 1                                                       Introduction and Objective/\n                                                          Conclusions and Observations\n\x0c         access. Inadequate protective measures placed the Department\'s critical\n         unclassified information systems at risk of attack from internal and\n         external sources and could ultimately result in data tampering, fraud,\n         disruptions in critical operations, and inappropriate disclosure of\n         sensitive or Privacy Act information. Adequate protection against these\n         adverse consequences is important to meeting the President\'s\n         management agenda initiative regarding the use of information\n         technology to improve government operations.\n\n         Management should consider the issues identified in this report when\n         preparing its year-end assurance memorandum on internal controls.\n\n\n\n\n                                                    (Signed)\n                                             Office of Inspector General\n\n\n\n\nPage 2                                        Conclusions and Observations\n\x0cRemote Access Related Performance Issues\n\nPlanning and          We reviewed the remote access security strategies of 13 program office\nProtective Measures   or site organizations. Although certain of these organizations had\n                      implemented protective measures, many had not developed and\n                      implemented strategies sufficient to mitigate the risk associated with\n                      remote access to their unclassified information systems. While most\n                      organizations had developed security plans and cyber security\n                      guidance, related documentation often did not specifically address risks\n                      or requirements associated with remote access. Where implemented,\n                      protective measures for remote access varied widely in scope and\n                      effectiveness.\n\n                                 Security Planning and Implementation Guidance\n\n                      Most organizations did not perform or had not documented a risk-based\n                      approach to identifying remote access threats or specifying protective\n                      measures. Of the 13 organizations reviewed, only 4 provided a\n                      documented assessment of risk and only 3 of those assessments\n                      addressed remote access. In particular, we noted that one organization\n                      providing centrally managed network and remote access services to a\n                      number of program offices had not performed a risk assessment or\n                      specified protective measures even though participating organizations\n                      relied on it for security administration.\n\n                      Consistent with the lack of risk assessments, many of the organizations\n                      we reviewed had also not developed specific guidance addressing\n                      remote access security requirements. Of the sites or program offices\n                      reviewed, we noted that only 4 of 13 had developed guidance that\n                      specifically addressed protective requirements for remote access. In\n                      contrast, most organizations had developed and implemented extensive\n                      security procedures governing access to information systems through\n                      internal resources.\n\n                                            Protective Measures\n\n                      While most organizations required at least some level of protection on\n                      Department-owned computers, requirements for remote access using\n                      privately-owned equipment was less stringent or non-existent. Of the\n                      13 organizations we reviewed, only 4 had implemented protective\n                      measures that were substantially consistent with Federal standards.\n\n\n\n\nPage 3                                                                     Details of Finding\n\x0c                           Specifically, many users were not required to use protective measures\n                           such as personal firewalls, virus protection software, and up-to-date\n                           systems software when accessing network resources. While most\n                           organizations required installation of anti-virus software, only two\n                           required virus definitions to be current prior to connecting remotely.\n                           Other than cyber security refresher training, organizations generally did\n                           not provide security awareness training related to remote access. The\n                           use of hardware-based protections such as one-time password\n                           generators, a protective measure that minimizes the risk of additional\n                           damage should other measures be compromised, were required by only\n                           two of the organizations we visited. Without such measures, each\n                           remote connection or session exposed the Department\'s networks to\n                           attack by malicious users.\n\n                           In contrast, one program office we reviewed had well-developed remote\n                           access security procedures. This office independently managed its\n                           network service and aggressively enforced protective requirements.\n                           Remote users were required to attend remote security awareness\n                           training and sign a user accountability form prior to being granted\n                           access. Users were provided with security features without regard to\n                           whether the remote machines were Department or privately-owned.\n                           Prior to permitting network access, automated techniques were used to\n                           access the remote equipment and verify that the necessary security\n                           features had been correctly installed. This organization regarded\n                           remote access as a privilege and terminated the service of users who did\n                           not maintain adequate protective measures.\n\nRequirements for Risk      Federal and Departmental directives require organizations to\nBased Security and         continually assess the risk to computer systems and maintain security\nRemote Access Protection   commensurate with that risk and consistent with standards. For\n                           instance, the Government Information Security Reform Act of 2000 and\n                           Office of Management and Budget (OMB) Circular A-130 require\n                           agencies to adopt a risk-based, life cycle approach to improving\n                           computer security. Specifically, agency security planning should\n                           establish acceptable levels of risk and rules covering such matters as\n                           work at home, individual accountability, awareness training, dial-in\n                           access, connection to the Internet, unofficial use of equipment,\n                           assignment and limitation of system privileges; and periodically\n                           reviewing security controls for adequacy. In addition, Departmental\n                           directives, such as Department Notice 205.1 "Unclassified Computer\n                           Security Program," require each organization to specify information\n                           resources to be protected and protective mechanisms to be used to\n                           ensure that all unclassified information resources under its purview are\n                           protected in a manner that is consistent with threats to it and its\n                           missions at all times.\nPage 4                                                                          Details of Finding\n\x0c                           The Department\'s cyber security architecture also requires that remote\n                           access implementations impose security provisions consistent with\n                           those imposed upon other on-site users. This guidance echoes the\n                           recommendation by the Federal Computer Incident Response Center\n                           that each remote user\'s system be afforded a minimum level of\n                           protection consistent with that of the parent network, such as installing\n                           and validating anti-virus software and updating operating system\n                           security patches prior to allowing remote connection. The National\n                           Institute of Standards and Technology (NIST) also recommended that a\n                           personal firewall be used at all times on computers used for remote\n                           access.\n\nAttention to Remote        Departmental organizations had not focused sufficient attention on the\nAccess Security            risk of harm associated with remote access to unclassified information\n                           systems. Although the Department had developed guidance addressing\n                           remote access, many of the organizations focused the majority of their\n                           protective measures on preventing Internet-based intrusions. The\n                           insufficient focus of most organizations on remote access is\n                           demonstrated, in part, by the fact that few organizations monitored\n                           access activity or maintained detailed information such as type and\n                           owner of equipment or levels and types of access granted. Most sites\n                           also did not evaluate remote access security when performing periodic\n                           oversight or self-assessment activities. Consistent with the overall lack\n                           of focus in this area, organizations also had not developed specific\n                           performance measures or metrics to measure progress. Where cyber\n                           security related site or organization-level goals had been established,\n                           most were non-specific and focused only on overall improvements in\n                           the cyber security area. Because of the lack of attention, organizations\n                           did not devote the resources necessary to assessing the risk associated\n                           with remote access.\n\nUnclassified Information   Inadequate protective measures placed the Department\'s critical\nSystems                    unclassified information systems at risk of attack from internal and\n                           external sources and could ultimately result in data tampering, fraud,\n                           disruptions in critical operations, and inappropriate disclosure of\n                           sensitive or Privacy Act information. In a recent report to management,\n                           the Office of Inspector General disclosed that a malicious user was able\n                           to gain access to an employee\'s government-owned laptop. This\n                           occurred while the employee was remotely connected to the site\'s\n                           network while simultaneously connected to his personal Internet\n                           Service Provider (ISP) at his residence. The review identified\n                           inadequate remote access controls and configuration management\n                           requirements at the site that may have contributed to the compromise of\n                           the laptop. In addition to directly endangering Departmental networks,\n\nPage 5                                                                           Details of Finding\n\x0c                  hackers gaining control of employees\' computers could later monitor\n                  remote access sessions and capture passwords or other sensitive data.\n                  Without adequate attention to remote access security, the Department\'s\n                  networks and information systems will continue to be subject to a\n                  significant risk of compromise. As we have previously reported, the\n                  failure to ensure the security and confidentiality of personal information\n                  could subject employees to the risk of identity theft and intelligence\n                  targeting and the Department to potential litigation.\n\n\nRECOMMENDATIONS   To correct the specific vulnerabilities noted in this report, we\n                  recommended that, for the sites and offices within their responsibility,\n                  the Administrator, National Nuclear Security Administration; the\n                  Assistant Secretaries for the Office of Environmental Management and\n                  Office of Fossil Energy; and the Director, Office of Science:\n\n                     1. Require sites which have not assessed risk or developed and\n                        implemented protective measures to do so immediately; and,\n\n                     2. Require sites or offices to issue clear guidance for remote access\n                        services consistent with Federal, Departmental, and the NIST\n                        requirements for remote access security.\n\n                  To enhance overall security for remote access to unclassified\n                  information systems, we recommend that the Director, Office of\n                  Security work with the Chief Information Officer to:\n\n                     3. Reemphasize the requirement for organizations to perform\n                        formal risk assessments and to develop and implement\n                        protective measures commensurate with the assessed level of\n                        risk;\n\n                     4. Require that remote access security be specifically evaluated\n                        during the security self-assessments required by the Government\n                        Information Security Act of 2000; and,\n\n                     5. Establish specific, quantifiable performance measures for\n                        improving remote access services controls and include them in\n                        the Department\'s Cyber Security Metrics program and the\n                        organization\'s Annual Performance Plan.\n\n\n\n\nPage 6                                              Recommendations and Comments\n\x0cMANAGEMENT REACTION   The Administrator, National Nuclear Security Administration; Assistant\n                      Secretaries for the Office of Environmental Management and Office of\n                      Fossil Energy; and the Director, Office of Science, Director, Office of\n                      Security; and Chief Information Officer concurred with our\n                      recommendations. Management indicated that certain corrective\n                      actions were in process or had been completed. Management\n                      specifically pledged to develop new security policy, associated\n                      implementing guidance, and to improve security planning. Program\n                      level management pointed out that Departmental policy direction was\n                      required to effectively address remote access issues raised in the report.\n                      Also, management stated that direction had been given to specifically\n                      address remote access security during the self assessment-process.\n                      Finally, management noted that although performance measures are the\n                      responsibility of each program office, the requirement for such\n                      measures will be established in new Departmental directive and\n                      guidance. Management\xe2\x80\x99s comments are attached as Appendix 3.\n\n\nAUDITOR COMMENTS      We consider management\'s comments and actions responsive to our\n                      recommendations and the issues addressed in our report.\n\n\n\n\nPage 7                                                  Recommendations and Comments\n\x0cAppendix 1\n\nSCOPE         The audit was performed between December 2001 and May 2002. We\n              assessed the Department\'s performance in managing the risk associated\n              with remote access of unclassified information systems. Our work did\n              not include a determination of whether vulnerabilities found were\n              actually exploited and used to circumvent existing controls.\n\n\nMETHODOLOGY   To accomplish our objectives, we:\n\n                   \xe2\x80\xa2    Reviewed Federal Regulations such as the Government\n                        Information Security Reform Act, Government Performance\n                        and Results Act, OMB Circular A-130, Departmental\n                        Directives and guidance pertaining to information system\n                        security;\n\n                   \xe2\x80\xa2    Reviewed relevant reports issued by the Office of Inspector\n                        General, the General Accounting Office, and Office of\n                        Independent Oversight and Performance Assurance;\n\n                   \xe2\x80\xa2    Held discussions with officials and staff at various\n                        organizations; and,\n\n                   \xe2\x80\xa2    Assessed organizational security practices and analyzed\n                        remote access user details.\n\n              The audit was conducted in accordance with generally accepted\n              Government auditing standards for performance audits and included\n              tests of internal controls and compliance with laws and regulations to\n              the extent necessary to satisfy the audit objective. Because our review\n              was limited, it would not necessarily have disclosed all internal control\n              deficiencies that may have existed at the time of our audit. Because of\n              problems with data inputs, we questioned the validity of computer-\n              processed data.\n\n              Management waived an exit conference.\n\n\n\n\nPage 8                                                      Scope and Methodology\n\x0cAppendix 2\n\n                                              PRIOR REPORTS\n\n\n   \xe2\x80\xa2     Management Challenges at the Department of Energy, (DOE/IG-0538, December 2001).\n         Among other things, the report identified information technology, performance management,\n         and security and safety as the most serious management and performance challenges the\n         Department faces. Consistent with the requirements of the Government Performance and\n         Results Act, the Department should aggressively work to develop and implement performance\n         goals and measures that directly address each of the management challenges identified in this\n         report. Further, actual performance should be assessed against these goals and measures and\n         be independently validated.\n\n   \xe2\x80\xa2     Inspection of Cyber Security Standards for Sensitive Personal Information (DOE/IG-0531,\n         November 2001). The report concluded that the Department does not always meet the\n         requirements of the Privacy Act of 1974, the Freedom of Information Act (FOIA), or the\n         Computer Security Act of 1987 because the Department: (1) does not have a Department-\n         wide baseline criteria for protecting Privacy Act/FOIA personal information; (2) does not\n         group Privacy Act/FOIA personal information with other unclassified sensitive information\n         for protection; and (3) allows individual sites and program offices to develop differing\n         security measures for protection of Privacy Act/FOIA personal information.\n\n   \xe2\x80\xa2     The Department\'s Unclassified Cyber Security Program (DOE/IG-0519, August 2001). The\n         report determined that while the Department has made improvements in its unclassified cyber\n         security program, the program did not adequately protect data and information systems as\n         required by the Government Information Security Reform Act. Problems with design and\n         implementation of cyber security policy, including a lack of monitoring and specific, focused\n         performance measures, contributed to these weaknesses and adversely affected the\n         effectiveness of the entity-wide program. Observed weaknesses increased the risk that critical\n         systems, a number of which enable delivery of essential services to members of the public and\n         other Federal agencies, could be compromised or disabled by malicious or unauthorized users.\n\n   \xe2\x80\xa2     The Department of Energy\'s Implementation of the Clinger-Cohen Act of 1996, (DOE/IG-\n         0507, June 2001). The report summarized 13 information technology (IT) related Office of\n         Inspector General reports. Cumulatively, these reports demonstrated systemic problems with\n         the Department\'s approach to IT management and its method of addressing requirements of\n         the Clinger-Cohen Act of 1996 (Act). Specifically, the Department had not satisfied major\n         requirements of the Act to develop and implement an integrated, enterprise-wide, IT\n         architecture, closely monitor policy implementation efforts, and acquire IT related assets in an\n         effective and efficient manner. We attributed the problems identified, in part, to the\n         Department\'s decentralized approach to information technology management and oversight\n         and the organizational placement of the Chief Information Officer (CIO). The Department\n         has recently taken a number of actions designed to improve the overall management of\n         information technology resources, including making the CIO a direct report of the Secretary.\n\n\n\nPage 9                                                                                         Prior Reports\n\x0cAppendix 2 (continued)\n\n    \xe2\x80\xa2     Virus Protection Strategies and Cyber Security Incident Reporting, (DOE/IG-0500, April\n          2001). The Department\'s virus protection strategies and cyber security incident reporting\n          methods did not adequately protect systems from damage by viruses and did not provide\n          sufficient information needed to manage its network intrusion threat. These problems\n          existed because the Department had not developed and implemented an effective enterprise-\n          wide strategy for virus protection and cyber security incident reporting.\n\n    \xe2\x80\xa2     Department of Energy\'s Consolidated Financial Statements, (DOE/IG-FS-01-01, February\n          2001). The report identified three reportable weaknesses in the Department\'s system of\n          internal controls pertaining to performance measures, financial management, and\n          unclassified information system security. Specifically, performance goals, in many cases,\n          were not output or outcome oriented and/or were not meaningful, relevant, or stated in\n          objective or quantifiable terms. The Department also had certain network vulnerabilities\n          and general access control weaknesses.\n\n    \xe2\x80\xa2     Internet Privacy, (DOE/IG-0493, February 2001). The Department\'s method of collecting\n          data from users of its publicly accessible web sites was not always consistent with Federal\n          regulations. Specifically, some web sites were collecting data by unapproved or\n          undisclosed means and a number of web sites did not display conspicuously located, clearly\n          written privacy notices.\n\n    \xe2\x80\xa2     Unclassified Computer Network Security at Selected Field Sites, (DOE/IG-0459, February\n          2000). Departmental sites audited had significant internal or external weaknesses that\n          increased the risk that their unclassified computer networks could be damaged by malicious\n          attack. Each site evaluated had network vulnerabilities involving poor password\n          management, unnecessary access to certain powerful computer services, weak configuration\n          management, outdated software with known security problems, and/or problems with\n          firewall configuration.\n\n    \xe2\x80\xa2     Review of the U.S. Department of Energy\'s Information Management Systems, (DOE/IG-\n          0423, August 1998). The report stated that the CIO lacked the authority and resources\n          necessary to ensure development of information architectures at the program office level,\n          which form the building blocks of a Departmental architecture. The report added that, as a\n          result, the Department had not developed and implemented information technology\n          architecture, although its Strategic Plan called for the implementation of Department-wide\n          information architecture with supporting standards by January 1998.\n\n\n\n\nPage 10                                                                                      Prior Reports\n\x0cAppendix 3\n\n\n\n\nPage 11      Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 12                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 13                  Management Comments\n\x0cAppendix 3 (continued\n\n\n\n\nPage 14                 Management Comments\n\x0cAppendix 3 (continued\n\n\n\n\nPage 15                 Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 16                  Management Comments\n\x0c                                                                              IG Report No.: DOE/IG-0568\n\n                                    CUSTOMER RESPONSE FORM\n\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its products. We\nwish to make our reports as responsive as possible to our customers\' requirements, and, therefore, ask that\nyou consider sharing your thoughts with us. On the back of this form, you may suggest improvements to\nenhance the effectiveness of future reports. Please include answers to the following questions if they are\napplicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or procedures of the\n   audit would have been helpful to the reader in understanding this report?\n\n2. What additional information related to findings and recommendations could have been included in this\n   report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s overall message more\n   clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues discussed in this\n   report which would have been helpful?\n\nPlease include your name and telephone number so that we may contact you should we have any questions\nabout your comments.\n\nName _____________________________             Date __________________________\n\nTelephone _________________________            Organization ____________________\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at (202) 586-\n0948, or you may mail it to:\n\n                                     Office of Inspector General (IG-1)\n                                           Department of Energy\n                                          Washington, DC 20585\n\n                                        ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of Inspector General,\nplease contact Wilma Slaughter at (202) 586-1924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                            following address:\n\n\n                  U.S. Department of Energy, Office of Inspector General, Home Page\n                                       http://www.ig.doe.gov\n\n                    Your comments would be appreciated and can be provided on the\n                           Customer Response Form attached to the report.\n\x0c'